Firewalld Direct.xml

Home » CentOS » Firewalld Direct.xml

March 24, 2020 Jerry Geis CentOS 2 Comments

HI All – I created a /etc/firewalld/direct.xml file and put in it :

-s
192.168.1.8 -j blacklist

I rebooted, so then from the 192.168.1.8 machine I tried to ping the machine. I responds. I was expecting it not to respond?

What do I not have right with the direct.xml file ?

Thanks

Jerry

2 thoughts on - Firewalld Direct.xml

Jerry Geis says:

March 24, 2020 at 1:26 pm

it looks like it does work – it just takes a REAL long time to load with
“many” entries in the file. iptables was never slow. firewalld seems inefficient.

I was able to add the line – restart the firewall, (wait) – see my packets dropped – remove the line –
restart the firewall (wait) and able to ping again.

I thought this “Direct.xml” file would be the fastest way for firewalld –
but there is multi-minute wait to restart. I have about 14000 entries.

Jerry
Phil Perry says:

March 24, 2020 at 3:39 pm

I would think ipset would be a more suitable tool for the task in hand which can do the task instantly if you create and update a copy of your set and then swap the sets.